Enabling the KVM host for IBM Secure Execution

A cloud provider sets up a KVM host in an LPAR for IBM Secure Execution.

About this task

The KVM host must opt in to IBM Secure Execution, that is, to use the Ultravisor. Use the prot_virt kernel parameter to opt in for IBM Secure Execution on the host.

Procedure

Modify a Linux instance to be able to act as an IBM Secure Execution host.

  1. Modify the boot configuration.
    For example, if you use zipl, add the parameter prot_virt to the parameters in the zipl.conf file and save.
    For example:
    # vi zipl.conf
    ...
    parameters=" ...prot_virt=1"
    ...
    Run zipl. For more information about zipl, see the Device Drivers, Features, and Commands or the man page.
  2. From the HMC, IPL the device, which then boots the secure KVM host.
    The KVM host then donates some memory to the ultravisor. The ultravisor uses the memory to store the security context for memory in the LPAR. Because of this memory donation, the KVM host sees slightly less memory than what is available in the LPAR. The resulting setup is shown in Figure 1.
    Figure 1. A KVM host is set up to run in IBM Secure Execution mode
    Create a KVM host for IBM Secure Execution by creating a bootable image for the host
  3. Verify that the opt-in was successful.
    Check the output of the dmesg command. The command must show that memory was reserved for the ultravisor.
    For example:
    [ 1.010810] Reserving 322MB as ultravisor base storage
    The exact amount varies with the size of the LPAR.
    Tip: In a trusted environment, if your distribution supports it, you can read sysfs attributes as indicators of IBM Secure Execution mode:
    • sys/firmware/uv/prot_virt_host. The KVM host runs in IBM Secure Execution mode if the value is 1.
    • sys/firmware/uv/prot_virt_guest. The KVM guest runs in IBM Secure Execution mode if the value is 1.

    Note that this does not constitute full proof that the host or guest is secure.